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REAL TIME MULTI-TASK PROCESS AND OPERATING SYSTEM 

DESCRIPTION 

5 Technical domain 

The present invention concerns a real time process 
and multi-task operating system, particularly in an 
ATSU-type calculator. 

10 

Status of the previous technique 

An ATSU (Air Traffic Services Unit) type 
calculator is an avionic calculator responsible for 

15 managing new ground/on board communications systems 
based on the use of information technology networks 
with global coverage . Such a calculator has a software 
architecture characterised by the implementation of a 
real time multi-task POSIX operating system. 

20 This calculator can include software with 

different criticality levels. A high priority level is 
allocated to the most critical tasks so as to satisfy 
their real time constraints whatever the behaviour of 
the less critical tasks. Nevertheless, the latter do 

25 not have a minimum guaranteed access to the calculation 
resource that can be monopolised in part or in total by 
the most critical tasks. 

One of the resources that can be shared by a POSIX 
real time operating system such as the one described in 

30 the reference document [1] at the end of the 
description is the calculation time (central unit 
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time) . Distribution is implemented by a router that 
relies on a criterion of priority and a measure of the 
execution time of tasks to implement a scheduling 
policy. 

5 In such a real time operating system of the known 

technique the execution period of a task is generally 
measured with the help of so-called "tic" clock pulses 
generated by a period material counter and counted by 
an interruption programme in the software counters. 

10 Each clock pulse is allocated to the task that has the 
central unit resource at the time of the generation of 
the corresponding interruption. The systems keeps a 
global counter (or absolute clock) updated. It contains 
the number of clock pulses from the start-up of the 

15 system and a counter by task (or relative clock) that 
contains the number of clock pulses that have occurred 
while this task has the central unit resource. 

So as not to damage the performance of such a 
system the duration between two clock pulses should be 

20 sufficiently long for their consideration time to 
remain negligible. This way of measuring the time leads 
to imprecise measurement of the duration of tasks as is 
shown by the chronogram illustrated in figure 1 with IT 
interruption-clocks. The measurement of the duration of 

25 two Tl and T2 tasks of the same 10.5 ms duration gives 
a measured value of 3 0 ms for the first task and 0 ms 
for the second task; the parts greyed "10" illustrate 
the use of the central unit resource. 

The chosen scheduling mode in a ATSU- type 

30 calculator is the FIFO (First in - First Out) mode. In 
this mode the scheduler allocates the whole central 
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unit resource for an indeterminate time to the task 
ready to be executed and of the highest priority. If 
several tasks of the same priority are ready to be 
executed they are managed in chronological order and 
5 the first in the list is executed until it is blocked. 
In this event the following in the list is executed. If 
a higher priority task becomes ready, the task being 
executed is pre-empted (it loses the central unit 
resource) and the higher priority one is executed. The 

10 scheduler guarantees that a task that has been pre- 
empted remains at the head of the list to resume 
execution before the others. 

The functioning of such a scheduler is illustrated 
on figure 2. Operating system 11 includes a POSIX/UNIX 

15 12 system interface. The applicative tasks are 
referenced 13 . Time management unit 15 that receives 
IT interruptions of the material counter updates 
software counters (arrow 16) . It sends to scheduler 18 
(arrow 19) a rescheduling request during the expiration 

20 of the quantum time of the current task. Scheduler 18 
allocates (arrow 20) the central unit resource to the 
task that has the highest priority ready to be 
executed . 

Such a distribution policy naturally penalises the 
25 lower priority tasks since the central unit time that 
can be used by them depends on the time left free by 
the higher priority tasks. 

An item of the known technique, referenced [2] at 
the end of the description considers the real time 
30 application scheduling problem in a general use 
operating system. This system is modified so as to take 
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advantage of real time scheduling time while preserving 
the existing software. The architecture considered uses 
a POSIX-type scheduler. A QOS (Quality of Service) 
coefficient is defined by a couple of parameters: 
5 central unit time t, period of time t. A contract 
corresponding to such a coefficient defines that at 
least one duration t should be allocated to a task in 
each period T. the scheduler is informed of the 
parameters to use for each task. 
10 The aim of the invention is to compensate for the 

inconveniences defined above while proposing a real 
time multi-task process and operating device, 
particularly in an ATSU-type calculator. 



15 Report on the invention 



The present invention concerns a real time multi- 
task operating process in which is defined a set of 
parameterisable fixed duration observation windows, 
20 characterised by the fact that it includes: 

an allocation stage of a maximum execution 
duration for each task in each window during which a 
scheduler guarantees a minimum execution time for lower 
priority tasks . 

25- A calculation stage for time spent by each task 

during each observation window. 

A sanction stage during which the tasks which 
exceed their quota in a given observation window are 
sanctioned and can only resume the central unit 

30 resource during the following observation window 
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The advantage of this during the calculation stage is 
that the value supplied by a global software counter is 
used and refined by adding to it the time passed since 
the last clock pulse read at one go in a material 
5 counter as well as a rerouting stage: a first rerouting 
point existing in the scheduler code, a second 
rerouting point existing in the interruption programme 
for treating clock pulses. The latter, which has higher 
priority than all the tasks of the system, allows the 
10 time spent by the task in progress to be calculated and 
to sanction it if its quota is exceeded. 

The sanction stage takes place during a change of 
task (has the outgoing task exceeded its quota?) or 
during the generation of a clock pulse (has the current 
15 task exceeded its quota?) . The sanction stage can 
consist of a lowering of the task priority, a stoppage 
of the task or a destruction of the task. 

In a beneficial implementation mode the 
invention process includes: 
20 * a start-up stage in which: 

rerouting procedures are installed 
a supervision task is launched 

the duration of the observation window is 
configured 

25 * a management task stage in which: 

- during the creation of a task: 

the maximum duration of use of the central 
unit resource is configured in the 
observation window and the sanction to apply 
30 in the event of overshoot 

the surveillance of this task is launched 
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during the termination of this task: 

the surveillance of this is inhibited 
during the switching of his outgoing ask to 
another entering task: 
5 the event is dated 

the time for start-up activation of the 
entering task is recorded 

the time spent on the outgoing task during 
the observation window is calculated 
10 a sanction is applied if the time spent by 

the outgoing task is higher than the maximum 
allocated 

* a clock pulse management stage or "tic" in 
which : 

15 - the time spent by the task in progress is 

calculated 

a sanction is applied if the time spent is 
higher than the maximum allocated time 

* an observation window management stage in which: 
20 - at the beginning of the window the time spent on 

tasks is put at zero 

at the end of the window the sanctioned tasks 
are rehabilitated 

25 The invention also concerns a real time multi-task 

operating system, characterised by the fact that it 
includes a surveillance module which contains a 
rerouting procedure code for putting in place rerouting 
points, an interface, for example a UNIX standard of 

30 accessible functions by a supervision task, a time 
management unit and a scheduler. 
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The invention system makes it possible, beyond 
temporal segregation constraints, to ensure a fairer 
distribution of the central unit resource and to 
improve the robustness of the system by controlling an 
5 exclusive potential use of the resource. It can also be 
advantageously used in an ATSU type calculator. 

Brief description of the drawings 

10 Figure 1 illustrates a measurement of the 

execution duration in a system of the known technique. 

Figure 2 illustrates the functioning of a 

scheduler in a real time multi-task operating system 

of the known technique . 
15 Figure 3 illustrates the functioning of a 

scheduler in the real time mult i -task time operating 

system of the invention. 

Detailed report of implementation modes 

20 

In the invention process a set of observation 
windows is defined, of a fixed duration and 
parameterisable . In each window a maximum execution 
duration (a quota) is allocated to each task. During a 

25 given window the task that exceeds their quota are 
sanctioned and can only resume the central unit 
resource during the following window. Also so as not to 
fall into the problem of measuring the previous 
technique such as previously described and to guarantee 

30 a reliable control of the distribution of the central 
unit resource, a precise calculation of the time spent 
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in each task is made. In the invention process it is no 
longer the clock pulses, as described previously, which 
are counted according to the task in the process of 
execution. Instead it is the dates for the beginning 
5 and end of their activation. To date these events the 
value supplied by the global software counter is used, 
which is refined by adding to it the time spent since 
the last clock pulse (residue) read at one stroke in 
the material counter. 

10 

The dating of events during a change of task 
necessitates the putting into place of a rerouting 
point ("Hook" procedure) in the scheduler's existing 
code. Such a "Hook" process is a simple routine call 

15 familiar to the professional. Nevertheless this sole 
rerouting point does not allow the detection of an 
exclusive use of the central unit by a high priority 
task since specifically no change of task context can 
operate. Another rerouting point is thus placed in the 

20 process interruption programme of the clock pulses. The 
latter, with higher priority than all the system tasks 
makes it possible to calculate the time spent by the 
task in progress and to sanction it if its quota is 
exceeded. The reaction time of the sanction depends on 

25 the clock pulse duration. Thus in an operating system 
set to 10 ms , a task which consumes time excessively is 
sanctioned at the most 10 ms after exceeding its quota. 

A surveillance module is integrated into the 
operating system as a pilot or "driver" . It contains 

30 the rerouting procedures' code and offers a standard 
UNIX interface of accessible functions by the 
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supervision task (parameterisation of surveillance, 
recovery of information about the consumption of tasks, 
reading of the history of overshoots) . 

5 A sanction can be applied at two points: on a 

change of task (has the outgoing task exceeded its 
quota?) or on the generation of a clock pulse (has the 
current task exceeded its quota?) . A sanction is the 
subject of a trace preserved in a history that can be 
10 consulted by the supervision task. It can take several 
forms - lowering of task priority, stoppage of the 
task, or destruction. 

Figure 3 illustrates the functioning of a 
15 scheduler in the real time multi-task, operating 
process of the invention. The elements that already 
existed on figure 2 preserve the same references. The 
supervision task is referenced 30. Time management unit 
15 enables at the same time (arrow 31) : 
20 - updating of software counters 

recovery of time residue 
A surveillance module 32 enables (arrow 33) a 
surveillance parameterisation surveillance and sends 
(arrow 34) information on the status of tasks. It also 
25 enables (arrow 3 5) : 

dating of events 

control of use of central resource unit. 
- A sanction 
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It receives (arrow 37) IT interruptions of the 
software counter for the start of each observation 
window. 

Time management unit 15 receives from surveillance 
5 module 32 message 38 for reading current time and sends 
counter event message 40 via rerouting process 39. 
Scheduler 38 sends task change event 43 to surveillance 
module 32 via rerouting process 42. 

The functioning of such a system is summed up in 
10 table 1 located at the end of the description that is a 
table of states of the surveillance 32 . 

Two characteristics of the POSIX l.d standard can 
be compared with the invention process: 
15 - the "sporadic" server 

the surveillance and specific measurement of 
the execution time. 
In this standard, this sporadic server consists of 
constantly keeping a reserve of central unit time in a 
20 so-called filling time for aperiodic tasks in the 
system. To the idea of a reserve is linked a notion of 
high priority processing. As soon as an aperiodic task 
is activated it passes to a high priority and draws 
from its time reserve. If its time reserve has passed 
25 it goes to low priority until the next filling time. In 
increasing the priority of lower priority tasks during 
a given time quota the latter are sure of being taken 
into account for a certain time. 

On the other hand the approach of scheduler 18 
30 according to the invention is the opposite. To 
guarantee an execution time for lower priority tasks 
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this limits the execution time of higher priority- 
tasks . 

The POSIX.lb also suggests real time extensions 
for time management. It offers the opportunity to have 
5 access to an absolute clock with a greater precision 
than that given by the clock pulses' global software 
counter. It enables definition software alarms via this 
clock. The POSIX.ld standard suggests, also, the use of 
a relative clock concept: the execution time of each 

10 task is kept updated with greater precision than that 
given by the clock pulses' local software counter. In 
the same way as with the absolute clock it is possible 
to programme alarms associated to each relative clock. 
The expiration of the alarm triggers a signal to the 

15 task concerned which can decide itself to be suspended 
for a certain time before resuming the central unit 
resource: the global control of the execution time is 
the responsibility of each task and is a decentralised 
control . 

20 The measurement of execution time of each task in 

the invention's scheduler 18 takes up this principle 
again but the decision to sanction a task is taken at 
the level of the scheduler in a centralised way. 

We shall now describe the UNIX 12 standard 

25 interface. To control the parameters of the invention's 
scheduler 18 and to supervise the activities in a UNIX- 
type operating system, the pilot code or "drivers" is 
accessible by the user through a special file. The 
invention scheduler is a pilot that offers a user 

30 interface in the form of generic services applied on 
the special file and described in the POSIX 1003.1 
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standard. A specific implementation corresponds to a 
generic service specific to the pilot. Opening and 
closing file operations (with control of access 
rights) , reading the overshoot history and finally the 
5 control /parameterisat ion operation of the invention 
scheduler are all separate. The rerouting procedures 
are internal pilot services not directly accessible 
from the programme user. 

The functioning of such an interface is 
10 illustrated in table 2 located at the end of the 
description . 

Application of the invention procedure in an avionic 
configuration 

15 The invention procedure can be used in the on 

board context of an ATSU (Air Traffic Services Unit) 
which manages the links between certain aeroplane 
equipment and ground/on board communication resources. 
The main functions of this calculator are carried out 
20 by the following applications: 

the air traffic service application or ATC 
(management of crew dialogue/CPDLC/AFN, ADS 
surveillance ) 

the company operational communication or AOC 
25 applications 

When the ATSU calculator is delivered the client 
company can implement its own applications, developed 
by itself or developed for it by a third party. The 
constraints associated with such a requirement are 
30 manifested by an acceptance structure enabling: 
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these different developments to be made as 
autonomous as possible. 
- The guaranteeing of the non perturbation of an 
ATC by an AOC application 
5 - The guaranteeing of a processing capacity for 

each task 

Thus in the invention procedure quotas are allocated 
for the different tasks to guarantee a minimum 
execution time for AOC applications (lower priority 

10 than ATC applications) . As soon as the quota is reached 
for an application a trace is preserved in the 
overshoot history and a sanction is applied. The quotas 
and sanctions for each ATSU application are listed in a 
configuration file. This file is read by the privileged 

15 process responsible for launching all the applications. 
This process thus positions the scheduling attributes 
for each application and enters in a surveillance mode 
in the expectation of possible quota overshoots. 
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Table 1 



SYSTEM 
EVENT 


ACTION OF SURVEILLANCE MODULE 32 


Start-up of 
the system 


install the rerouting procedures 
launch the supervision task 
configure the duration of the observation 
window (done by supervision task 30) 


Creation of 
a task 


configure the maximum duration of use of 
the central unit resource in an observation 
window and the sanction to apply in the 
event of overshoot (done by supervision task 
30) 

launch task supervision 


Termination 
of a task 


inhibit the task surveillance 


Switching a 
task 


date the event (from clock pulse software 
counters and the material counter residue) 

record the activation time of the 
entering task 

calculate the time spent by the outgoing 
task during the observation window 
(accumulation of activation times) 

apply a sanction if the time spent is 
longer than the maximum allocated time 
(quota) 


Material 
clock pulse 


calculate the time spent for the task in 
progress 
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SYSTEM 
EVENT 


ACTION OF SURVEILLANCE MODULE 32 


("tic" ) 


apply a sanction if the time spent is 
longer than the maximum allocated time 
(quota) 


Beginning 
of the 
observation 
window 


put at zero the time spent for system 
tasks 


End of the 

observation 

window 


rehabilitate the sanctioned tasks 
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Table 2 



UNIX/POSIX system 
interface 


Parameters 


Function carried 
out in the driver 


Int open 

( char * filename , 

int mode) 


. f ilename=/devf ssO 
.mode-0_RDWR 
(Reading, writing) 
returns a file 
descriptor 


Check that the 
application which 
opens the file has 
the super-user 
privileges 


Int close (int fd) 


.fd= tile 
descriptor 


Check that the 
application which 
closes the file 
has the super-user 
privileges 


Int read (int 
fd, 

Char*buf, int 
size) 


. fd=file 
descriptor 

.buf=memory zone 
in which the (s) 
historic elements 
will be remounted 

.size=buf size 


Consult the 
history of quota 
overshoots 


Int write 
(intfd, int cmd 
Char*arg) 


Not implemented 


Not implemented 


Int ioctl (int 
fd, int cmd, 
char*arg) 


. fd= file 
descriptor 


Launch the period 
software counter 
which defines the 
duration of the 
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DNIX/POSIX system 
interface 


Parameters 


Function carried 
out in the driver 




. cmd=START_WINDOW 
.arg not used 


observation window 




. fd=f ile 
descriptor 


Stop the periodic 
counter 




. cmd=STOP WINDOW 
. arg not used 




Int ioctl (int 
fd, int cmd, 
char*arg) 


. fd=f ile 
descriptor 

. cmd=SET_WINDOW_DE 
LAY 

. arg= value in 
milliseconds of 
the duration of 
the observation 
window 


Configure the 
duration of an 
observation window 




. fd=f ile 
descriptor 

. cmd=GET_SCHED_VAL 


Recover the 
scheduling 
attributes for an 
activity (quota 
and sanction) 
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UNIX/POSIX system 
interface 


Parameters 


Function carried 
out in the driver 




. arg= scheduling 
attribute 

(quota and 
sanction 
positioned for a 
process) 






. fd=f ile 
descriptor 

. cmd = GE T_S CHED_VAL 

. arg=scheduling 
attributes 


Position the 
scheduling 
attributes for an 
activity (quota 
and sanction type) 










. fd=f ile 
descriptor 

. cmd=GET_SCHED_VAL 

. arg=measurement 
values of the time 
spent by a task in 
the observation 
window 


Recover the 
current values 
used by the driver 
to count the time 
of a task 
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